[angr] Load blob in x86 real mode

Ronny Chevalier chevalier.ronny at gmail.com
Tue Mar 8 00:51:09 PST 2016


On Tue, Mar 8, 2016 at 4:28 AM, Ronald Lai <pewpewsecure at gmail.com> wrote:
> Thanks! I'm actually working with BIOS sort of code right now, so that's
> exactly what I need. I'm trying to run some path groups on it, and the
> DO_CCALLS option is enabled by default for path group exploration at least.
> However, the issue I'm having is that VEX conventionally treats data/address
> operand sizes as 32-bit rather than the desired 16-bit for real mode, eg. it
> lifts opcodes
>
> ba 38 01 ed 24 1f
>
> to
>
> mov edx, 0x24ed0138
>
> instead of
>
> mov dx, 0x138
> in ax, dx
> and al, 1f
>
> Is the DO_CCALLS option supposed to deal with this as well?
>

The goal of the DO_CCALLS is to handle the change of the memory
addressing, the GDT and LDT. We also added the cr0 register so that
VEX knows if it is in real or protected mode. In archinfo/arch_x86.py,
we setup by default x86_cr0 with the protected mode bit to 1, change
this bit to 0. And try to see if it works better now :) If DO_CCALS is
not enabled, VEX will not handle a modification of the protected mode
bit.

I handled the address op size and data op size to change according to
the value of the protected mode bit of the cr0 register. But I did not
test this thoroughly, there is probably some instructions not handled
properly, and I know for sure that there is some jumps that are not
supported (but you will encounter an assert if it tries to decode one
of them).


More information about the angr mailing list